<!--

    Licensed to Jasig under one or more contributor license
    agreements. See the NOTICE file distributed with this work
    for additional information regarding copyright ownership.
    Jasig licenses this file to you under the Apache License,
    Version 2.0 (the "License"); you may not use this file
    except in compliance with the License.  You may obtain a
    copy of the License at the following location:

      http://www.apache.org/licenses/LICENSE-2.0

    Unless required by applicable law or agreed to in writing,
    software distributed under the License is distributed on an
    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
    KIND, either express or implied.  See the License for the
    specific language governing permissions and limitations
    under the License.

-->
<html>
<body>
<p>Credentials is a marker interface for an opaque object that may be recognized by
Handlers and Resolvers. Credentials may be a Userid/Password, Certificate,
RemoteUser, IP address, etc.</p>
<p>When the simple AuthenticationManagerImpl is
used, that bean is configured with a list of AuthenticationHandlers that
validate Credentials and CredentialsToPrincipalResolvers that turn Credentials
into Principal objects.</p>
<p>The Authentication Handler validates Credentials but does not extract
information. This seems curious in the simple case when the credential are a
Userid/Password. It becomes clearer for a Certificate. A Certificate is valid if
you trust the CA, if it hasn't expired, and if it isn't revoked. You can decide
all this, and still not have the foggiest idea what ID to give to the person (if
it is a person) reprepsented by the Certificate.</p>
<p>The CredentialsToPrincipalResolver looks into previously validated
Credentials to construct a Principal object containing an ID (and in more
complex cases some attributes). The DefaultCredentialsToPrincipalResolver takes
UsernamePasswordCredentials and creates a SimplePrincipal containing the Userid.</p>

</body>
</html>
